Who Is On My Wi-Fi?

How to see who is using your Wi-Fi

A rear view of a white small office home office router on a black background with three Ethernet cables plugged in.

 Pixabay / ID 3844328

If you've ever wondered who is using your Wi-Fi, you're not alone. By now, most people understand the need to secure the Wi-Fi networks provided by their router access point (AP). In most cases, this process is about countering determined attackers — unless what you do online is sensitive, you probably don’t have to worry too much about this — but focuses on fending off the opportunistic, low-complexity threat posed by neighbors trying to squat on your network and get free access.

But, in order to do protect your network, your Wi-Fi network security practices cannot consist solely of setting up obstacles for intruders. It must go deeper to include monitoring the internal state of your network to ensure that only those authorized to have access actually have access. Having an in-depth picture of the state of your network, including the devices on it, also has diagnostic benefits. For example, being able to see devices on the network will tell you if your wireless-connected printer goes offline.

This guide will teach you how to implement this type of monitoring, first by providing a crash course in what to look for, and then by walking you through options for identifying these indicators.

How Are Devices Displayed and Distinguished On My Network?

There are two main ways that any device connected to your network is identified, which is by its respective IP address and MAC address. The IP address you will be dealing with is not a public (i.e. internet-wide unique) IP, but an IP address on your internal network (also called a local area network or LAN) that your router assigns for every device on it.

Every device must have an address that is unique on the LAN to communicate with the router, whether you’re using that device to reach the internet or talk to other devices on the LAN. In most cases, routers assign LAN IP addresses dynamically, with different devices getting different IP addresses at different times, rather than statically (i.e. giving the same device the same address every time). Generally, the router reserves a range of addresses and assigns the first address in the range to the first device that connects to it, then the second address to the second connecting device, and so on.

As stated earlier, MAC addresses are the other main designator that routers use, usually in conjunction with IPs, to tell connected devices apart. MAC has nothing to do with Apple products but, rather, refers to a device’s Media Access Control address. This is a hardware serial number that is built into the wireless card (or, more technically, network interface controller or NIC) of every device. As such, it almost never changes.

Depending on your router, you might also get information about a device’s hostname, or some other kind of identifying information. A hostname is the name a computer calls itself. This may be either deliberately chosen by the user or set automatically by the device operating system.

Another way that routers sometimes differentiate devices is by guessing and displaying the make and (in some cases) model of the device. How does it determine this? Manufacturers often reserve a range of the first three (of six) segments on a MAC address for their company, or even for particular models of NICs that they make, so that their NICs can easily be identified both within the company and publicly. This three-unit designator is called an OUI, and upon detecting a MAC, some routers will look up a table of known OUI blocks and assign the corresponding entry to a description of the device.

How to Scan for Devices to Learn Who's On Your Network

There are a couple of ways you scan for devices connected to your network. The first method (and the one this guide will adopt when it comes to blocking suspicious devices) is by consulting the router’s web-based graphical user interface (GUI). Almost all consumer routers have a web-based UI that you can access (from on the LAN) by entering its own LAN IP address into your browser — this can usually be found in your router’s user manual or, failing that, in online support forums.

Netgear genie web user interface on the Firefox browser.

Some router firmware lets you see historical lists of MAC addresses that have logged onto the network, but almost all will give you a means of reviewing the MAC addresses of currently connected devices. If your router has whitelisting/blacklisting functionality, it is virtually guaranteed that your router has one or the other of these options as, otherwise, it would be difficult to know which MACs to enter.

Netgear genie user interface on the Firefox browser, on a page containing a table listing the LAN IP addresses and MAC addresses of connected devices.

The second avenue for creating an inventory of connecting devices is a router’s historical logs. Not all routers give administrators access to the full logs, but if you can open some subset of logs, there is a possibility that you can view a historical record of MACs that have connected.

These are by no means the only ways of creating a basic catalog of devices on the network, but they are the ones that are both straightforward and fit within the scope of this tutorial.

Denying Access to Rogue Users

If your tally of networked devices revealed a rogue device, the next step will be to block it. The best means of doing this is either by establishing a whitelist or blacklist policy, commonly known as whitelisting or blacklisting, respectively.

So which of these tactics should you use? Blacklisting is good if your network topography (the devices that typically connect to it) changes on a fairly regular basis, or if you are using devices whose MAC addresses you’re unsure of. Once you detect an unauthorized user, you simply enter their MAC address into the blacklist policy, and all devices matching that MAC address (which should only be that one) will be denied a connection.

Whitelisting, however, is a much more secure policy, since it blocks all devices that do not match the list of authorized MAC addresses given. This is also good if your rogue user is somewhat sophisticated, and has used MAC spoofing. MAC spoofing is a software-based technique that allows people to send out a fake MAC address of their choice rather than the one built into the NIC of their device.

Whereas MAC spoofing can easily circumvent blacklists, because the attacker simply needs any of the billions of MAC addresses that aren’t on your list, to get around a whitelist the attacker would have to guess one of the few devices you have explicitly authorized, which is highly unlikely unless they have gone to greater lengths to spy on you (which is far beyond the scope of this guide).

In order to do this, you have to enter the MAC address of every device you and other authorized users of the network will ever want to use on the network. You don’t have to get this right on the first try, so as long as at least one device you can control is on the whitelist, you can log back into the router’s UI and add (or delete) MACs from the whitelist. 

Routers from different manufacturers, and even those of different generations or product lines from the same manufacturer, can vary widely in their UI, so there is no single set of directions that work for everything. To show the basic concept of how to implement a whitelist policy, here is an example using a common Netgear consumer router (the N Series) with the latest firmware version installed.

Since this model only allows a whitelist, and since that is the recommended policy for keeping intruders off your network, the steps below will demonstrate that method.

  1. Determine the MAC address of authorized devices that are already connected. It's best to start with these and then add more devices you want to be able to connect later as needed instead of waiting to catalog every device you want to connect. Shutting out a few legitimate users and all illegitimate users now is better than letting every legitimate and illegitimate user continue to access your network while you hunt down every one of your devices.

  2. Navigate to the whitelist policy page of your router web GUI. This may be called something other than "whitelist," such as "access list" so check for any page with a synonymous title if you're having trouble finding it.

    Netgear genie web UI page for Advanced Wireless Settings on the Firefox browser.
  3. Choose the option to Edit the whitelist policy table, but do not turn it on yet.

    Netgear genie web UI page for Advanced Wireless Settings on the Firefox browser.
  4. On each line, add one of the MAC addresses that you want to authorize and any other relevant or helpful information you want to accompany it, such as a device name or description. Repeat this for every MAC you want to authorize.

    Netgear genie web US page with two text boxes with text entered, on the Firefox browser.
  5. When you've finished adding all the devices you want to include, activate the whitelist policy.

Remember, you can come back and edit this policy to add or remove devices as the users on your network change.